[SOLVED] Can not access other devices under same VPN by swanctl

Hacksign · 2024-02-10 16:42:16

Hi there

I've setup a VPN, which CIDR is 192.168.100.0/24, by strongswan's swanctl.

Below is the result of command swanctl --list-sas on client side:
(Client is behind a firewall and it's internet address is 55.66.77.88, Server's internet address is 11.22.33.44 in my scenario)

[root@DeviceOne system]# swanctl --list-sas
vpn: #1, ESTABLISHED, IKEv2, 2c127_i* 0f3eb_r
  local  'device-one' @ 192.168.31.2[4500] [192.168.100.101]
  remote '....' @ 11.22.33.44[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 1529s ago, rekeying in 12367s

This can be confirmed on server side by command ipsec status:

root@VPNServer:~# ipsec status
Security Associations (2 up, 0 connecting):
IPSec-IKEv2-EAP[11]: ESTABLISHED 28 minutes ago, 11.22.33.44...55.66.77.88[device-one]
IPSec-IKEv2-EAP[9]: ESTABLISHED 65 minutes ago, 11.22.33.44...55.66.77.88[device-two]
IPSec-IKEv2-EAP{4}:  INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: 4cbf_i c1e7_o
IPSec-IKEv2-EAP{4}:   192.168.1.1/32 192.168.2.0/24 192.168.3.0/24 192.168.100.0/24 === 192.168.100.0/24

The authentication is told successed by all logs(ipsec\strongswan), but there is unknown problems with route:

On client side, command result:

[root@DeviceOne ~]# ip rule
0:	from all lookup local
220:	from all lookup 220
32766:	from all lookup main
32767:	from all lookup default
[root@DeviceOne ~]# ip route
default via 192.168.31.1 dev end0 proto dhcp src 192.168.31.2 metric 1024 
192.168.31.0/24 dev end0 proto kernel scope link src 192.168.31.2 metric 1024 
192.168.31.1 dev end0 proto dhcp scope link src 192.168.31.2 metric 1024

Here is my swanctl.conf :

[root@DeviceOne ~]# cat /etc/swanctl/conf.d/vpn-client.conf 
connections {
   vpn {
       version = 2
       encap = yes
       dpd_delay = 30
       dpd_timeout = 90
       vips = 192.168.100.101
       remote_addrs = 11.22.33.44

       local {
           auth = eap-mschapv2
           id = device-one
           eap_id = device-one
       }

       remote {
           certs = vpn-ca.pem 
           id = ....
       }

       children {
           vpn-children {
               local_ts = 192.168.31.0/24  
               remote_ts = 192.168.100.0/24  
               start_action = start
           }  
       }  
   }  
}

secrets {
    eap-mschapv2 {
        id = "device-one"
        secret = "my-password"
    }
}

Currently I can neither access other devices on device-one, nor access to device-one on other device under same VPN.

My question: how can I access device-one in VPN 192.168.100.0/24 ?

Last edited by Hacksign (2024-02-11 14:58:11)

-thc · 2024-02-11 09:19:54

There is an additional routing table (220) - what does the following command show

ip route show table 220

Hacksign · 2024-02-11 14:57:26

-thc wrote:

There is an additional routing table (220) - what does the following command show
ip route show table 220

Thanks for reply, after hours of effort, the problem comes with server side.

Add right side subnet privileges solved the problem.

Here is the detail for any others in case.

As you can see, my client side ip address is 192.168.31.1/24, it is an un-normal ip range, so on the ipsec server side, you need add accesss privileges on right side (which is client side):

conn Some-Conn-Configuration
  .....
  rightsubnet=192.168.31.1/24,xxx.xxx.xx.xx/24,yyy.yyy.yy.yy/24,....
  ....

Arch Linux

#1 2024-02-10 16:42:16

[SOLVED] Can not access other devices under same VPN by swanctl

#2 2024-02-11 09:19:54

Re: [SOLVED] Can not access other devices under same VPN by swanctl

#3 2024-02-11 14:57:26

Re: [SOLVED] Can not access other devices under same VPN by swanctl

Board footer